penguinzephyr
commented
8 years ago Downgrading shadowget.rb to the version included in the final 3.22.0 version results in the program operating correctly, but it does mean its using less secure SSL.
Closed penguinzephyr closed 8 years ago
penguinzephyr
commented
8 years ago Downgrading shadowget.rb to the version included in the final 3.22.0 version results in the program operating correctly, but it does mean its using less secure SSL.
steve8x8
commented
8 years ago Sorry to hear that. Don't like... I'm surprised though that there's still Ruby 1.x in Ubuntu 14 - would 2.y be an option for now? Even the Windows installer has been using 2.0 for what feels like years
penguinzephyr
commented
8 years ago Whoops, it didnt even occur to me Ubuntu might not have the latest rubys in its default repository.
I installed ruby2.2 just then and it fixed any issues.
Thanks for this awesome tool :)
steve8x8
commented
8 years ago Um, from https://bugs.ruby-lang.org/issues/9424 and http://stackoverflow.com/questions/11059059/is-it-possible-to-enable-tls-v1-2-in-ruby-if-so-how I got the (possibly wrong?) impression that the whole TLS 1.2 business had been resolved more than a year ago. I know that Ubuntu (mostly being derived from Debian Sid) is usually ahead of stable Debian, and should also provide security updates to older packages... apparently that's not the case for ruby 1.9.
Good to know that ruby 2.2 (wow... I'm still stuck with 2.1.5, Debian Jessie) and probably all 2.x resolves this issue - may I ask for some feedback regarding Windows (as the installer comes with 2.0 packed)?
Got to seriously work on issue 301 (drop ruby 1.9, and perhaps even 2.0) next. I'll also add a fallback and warning should TLSv1_2 be unknown... the warning will pop up with every HTTPS access then... well...
steve8x8
commented
8 years ago To do: merge with Issue 322
steve8x8
commented
8 years ago Patch (could someone please test this with 1.9.3):
diff -Nur -I '$Id' -I '$HeadURL:' geotoad.trunc/lib/shadowget.rb geotoad.myown/lib/shadowget.rb
+++ geotoad.myown/lib/shadowget.rb 2015-09-01 09:49:23.455216030 +0200
--- geotoad.trunc/lib/shadowget.rb 2015-08-30 15:54:44.000000000 +0200
@@ -280,19 +280,25 @@
end
if uri.scheme == 'https'
http.use_ssl = true
# this was for a long time kind of security by obscurity
- http.verify_mode = OpenSSL::SSL::VERIFY_PEER
- # reduce set of ciphers
- # https://www.ssllabs.com/ssltest/analyze.html?d=geocaching.com, drop <256 bit
- #http.ciphers = [ 'RC4-SHA', 'AES128-SHA', 'AES256-SHA', 'DES-CBC3-SHA' ]
- #http.ciphers = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers].split(/:/).map{ |c|
- # (c =~ /(RC4|AES128|DES)/) ? nil : c
- #}.compact.join(':')
- http.ciphers = OpenSSL::SSL::SSLContext.new(:TLSv1_2).ciphers.map{ |c,x,y,z|
- (z >= 256) ? c : nil
- }.compact.join(':')
- # force ssl context http://www.ruby-forum.com/topic/200072
- http.instance_eval { @ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1_2) }
+ # apparently there are still old Rubies around which would crash with TLSv1_2
+ begin
+ http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+ # reduce set of ciphers
+ # https://www.ssllabs.com/ssltest/analyze.html?d=geocaching.com, drop <256 bit
+ http.ciphers = OpenSSL::SSL::SSLContext.new(:TLSv1_2).ciphers.map{ |c,x,y,z|
+ (z >= 256) ? c : nil
+ }.compact.join(':')
+ # force ssl context http://www.ruby-forum.com/topic/200072
+ http.instance_eval { @ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1_2) }
+ rescue => e
+ displayWarning "TLSv1_2 error #{e}, fallback to TLSv1"
+ http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+ # http://gursevkalra.blogspot.de/2009/09/ruby-and-openssl-based-ssl-cipher.html
+ http.ciphers = [ 'RC4-SHA', 'AES128-SHA', 'AES256-SHA', 'DES-CBC3-SHA' ]
+ # http://www.ruby-forum.com/topic/200072
+ http.instance_eval { @ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1) }
+ end
end
query = uri.pathI still haven't found out how to attach patch files :((
penguinzephyr
commented
8 years ago I should make a note that i run geotoad by cloning this github and running 'ruby geotoad.rb'.
Windows version happily installed on my Windows 10 64bit and happily just generated a GPX file consisting of 127 caches. No bugs found.
Just tried to install the .deb version of geotoad (3.24.0), however its informing me that i have unmet dependencies. Upon running sudo apt-get -f install, it reinstalled ruby 1.9.3 and ran flawlessly??
I will do some more testing tomorrow. My issue may of just been because i was attempting to run directly from the cloned repository. Sorry for the bother.
Once i am back on my main desktop with more RAM i will spin up some VM's and do some more testing. My little laptop wont handle it. That wont be for another week still but.
steve8x8
commented
8 years ago You're shooting faster than my shadow.
Indeed, 3.24.0 was clean, and only a commit on Aug 30 (two days after the release) merged the patch that had been published for testing in Issue 322 a couple of weeks ago, with no negative reports. Git head is a moving target, and you might want to use one of the (tagged) versions, or even better the tarball that gets published on GDrive - not the one GitHub makes (b/c of version strings).
Re unmet dependencies: details please. I haven't seen any with Debian Jessie, or Wheezy. I presume you're using "dpkg -i"? Then you've got to take care of dependencies yourself, probably...
steve8x8
commented
8 years ago OK, now that it has become clear that it wasn't thr release that broke, and the whole issue is very closely related to Issue #322, I'm closing this issue. Please contribute to Issue #322. Thanks.
Just upgraded to 3.24.0, and discovered it breaks... everything.
Upon trying to run geotoad using my original cache files, i recieved the following errors when i tried to generate output.
However upon clearing all cache files i now cant open it at all. I now get the following error.
Ubuntu 14.04 64bit. Ruby 1.9.3.
Downgrading to build 3.22.0 has fixed the issue.